Arbitrary PHP code execution in Drupal - CVE-2012-5653
Published: September 15, 2016 / Updated: September 15, 2016
Vulnerability identifier: #VU465
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2012-5653
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Drupal
Affected software:
Drupal
Drupal
Detailed vulnerability description
The vulnerability allows a remote user to cause arbitrary code execution on the target system.
The weakness exists due to improper munging of uploaded files name. The vulnerability allows attacker with server permission to upload a specially named file that can bypass the filename munging and cause arbitrary code execution.
Successful exploitation of the weakness results in arbitrary code execution on the vulnerable system.
The weakness exists due to improper munging of uploaded files name. The vulnerability allows attacker with server permission to upload a specially named file that can bypass the filename munging and cause arbitrary code execution.
Successful exploitation of the weakness results in arbitrary code execution on the vulnerable system.
How to mitigate CVE-2012-5653
Update 6.x to 6.27.
https://www.drupal.org/drupal-6.27-release-notes
Update 7.x to 7.18.
https://www.drupal.org/drupal-7.18-release-notes
https://www.drupal.org/drupal-6.27-release-notes
Update 7.x to 7.18.
https://www.drupal.org/drupal-7.18-release-notes